Privacy body probes Facebook data breach, demands full disclosure

Inday Espina-Varona, ABS-CBN News

Posted at Apr 13 2018 12:25 PM

Dozens of cardboard cutouts of Facebook CEO Mark Zuckerberg are seen during an Avaaz.org protest outside the U.S. Capitol in Washington, U.S., April 10, 2018. Reuters

The Philippines National Privacy Commission has ordered Facebook to furnish information on how it processed and shared with third parties the personal data of 1.18 million Filipinos who may have been affected by the Cambridge Analytica data breach.

In a letter to Facebook founder and head Mark Zuckerberg, Privacy Commissioner Raymund Liboro said the agency is investigating if the data breach violated the country’s Data Privacy Act of 2012 (Republic Act No 10173).

ABS-CBN News was furnished a copy of the letter, dated April 11.

The data breach could be "a symptom of a deeper problem that could pose risks to Filipino Facebook users,” Liboro warned.

Facebook handout image

He said the probe would review the social media giant's “adherence with data processing principles of transparency, legitimate purpose and proportionality required of information controllers processing data of Filipinos.”

“While you have admitted that dealing with data brokers is industry practice, this is generally considered illegal under Philippine law as a form of unauthorized processing,” Liboro informed Facebook.

He asked the company to submit within 15 days documents on data gathered from Facebook’s dealings with data brokers, information on the sources of data from these data brokers and how they obtain their data.

NPC letter

NPC letter

NPC letter

NPC letter

DISTRESSED USERS

Lawyer Francis Eucero, of the commission’s complaints office, told ABS-CBN News the country’s data privacy laws are much tougher than those in the United States, home country of Facebook, closer to the European standard.

The Philippines, considered one of the world’s social media capitals, represents 67 million accounts on Facebook, more than 95% of the national internet penetration rate.

Facebook CEO Mark Zuckerberg testifies before a House Energy and Commerce Committee hearing regarding the company's use and protection of user data on Capitol Hill in Washington, U.S., April 11, 2018. Reuters

The response of Facebook’s global and regional representatives to queries from the Philippines “has been generic and inadequate to satisfy the mounting concerns of Filipino users,” Liboro complained.

He said some netizens have already expressed distress at having their data shared inappropriately to third parties such as Cambridge Analytica and CubeYou.

This writer received a message from Facebook saying a friend had used the banned app, “This is Your Digital Life.” The message acknowledged the app may have misused some of the information by sharing it with Cambridge Analytica.

A link to how information may have been shared notes that “a small number of people” also shared their own news feed, timeline, posts and messages, “which may have included posts and messages from you.”

AD-DRIVEN BUSINESS MODEL

Liboro said Facebook’s business model relies on its users’ data and some degree of profiling to drive the delivery of content from buyers of ads.

"We are aware that Facebook employs a variety of tools, including the use of artificial intelligence in processing data, and native language speakers to provide context and filter content,” the commission head said.

He said Facebook has not been transparent about these tools and their use in profiling Filipino Facebook users.

“Data subjects have the right to know exactly how their data is being processed. The scope of this right extends to ensuring that Facebook users understand to whom their data is shared, who gets to process their data, and the standards with which their data gets processed,” Liboro stressed.

DATA NEEDED

Liboro listed down the data and documentation required from Facebook within 15 days.

Among these are Facebook’s data sharing with third parties, and documentation on any legal ties that limit or regulate how this data is shared.

He also asked for documents that became the basis of privacy policy changes in 2012 after the 2011 Federal Trade Commission Consent Decree.

Facebook needs to submit the following:

· Terms and conditions of the developer platform with Dr. Aleksandr Kogan, developer of the banned app,

· evidence found of his violations, including a detailed timeline of the discovery and abuse,

· the Facebook employer that discovered the violation;

· documentation between Facebook and Cambridge Analytica;

· evidence which led Facebook to believe that the data had been destroyed; and

· documents on the extent of information shared between Facebook and Dr Kogan and from Dr. Kogan to Cambridge Analytica